ConvertToSecureStringAsPlainText

chanel-y · chanel-y · commit faa47f9bfbee · 2025-04-22T09:17:57.000-07:00
diff --git a/powershell/ql/src/experimental/ConvertToSecureStringAsPlainText.qhelp b/powershell/ql/src/experimental/ConvertToSecureStringAsPlainText.qhelp
@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The use of the AsPlainText parameter with the ConvertTo-SecureString command can expose secure information.</p>
+
+</overview>
+<recommendation>
+<p>
+If you do need an ability to retrieve the password from somewhere without prompting the user, consider using the <a href="https://www.powershellgallery.com/packages/Microsoft.PowerShell.SecretStore">SecretStore</a> module from the PowerShell Gallery.
+</p>
+</recommendation>
+<references>
+
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/Command_Injection">Command Injection</a>.
+</li>
+<li>
+PSScriptAnalyzer:
+<a href="https://learn.microsoft.com/en-us/powershell/utility-modules/psscriptanalyzer/rules/avoidusingconverttosecurestringwithplaintext?view=ps-modules">AvoidUsingConvertToSecureStringWithPlainText</a>.
+</li>
+<!--  LocalWords:  CWE untrusted unsanitized Runtime
+ -->
+
+</references>
+</qhelp>
diff --git a/powershell/ql/src/experimental/ConvertToSecureStringAsPlainText.ql b/powershell/ql/src/experimental/ConvertToSecureStringAsPlainText.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Use of the AsPlainText parameter in ConvertTo-SecureString
+ * @description Do not use the AsPlainText parameter in ConvertTo-SecureString
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.0
+ * @precision high
+ * @id powershell/microsoft/public/convert-to-securestring-as-plaintext
+ * @tags correctness
+ *       security
+ */
+
+ import powershell
+
+ from CmdCall c 
+ where 
+ c.getName() = "ConvertTo-SecureString" and
+ c.hasNamedArgument("asplaintext")
+ select c, "Use of AsPlainText parameter in ConvertTo-SecureString call"
diff --git a/powershell/ql/src/experimental/UseOfReservedCmdletChar.ql b/powershell/ql/src/experimental/UseOfReservedCmdletChar.ql
@@ -8,8 +8,6 @@
  * @id powershell/microsoft/public/reserved-characters-in-function-name
  * @tags correctness
  *       security
- *       external/cwe/cwe-078
- *       external/cwe/cwe-088
  */
 
  import powershell
diff --git a/powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.expected b/powershell/ql/test/query-tests/security/ConvertToSecureStringAsPlainText/ConvertToSecureStringAsPlainText.expected
@@ -0,0 +1 @@
+| test.ps1:2:19:2:79 | Call to ConvertTo-SecureString | Use of AsPlainText parameter in ConvertTo-SecureString call |

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| test.ps1:2:19:2:79 \| Call to ConvertTo-SecureString \| Use of AsPlainText parameter in ConvertTo-SecureString call \|`